Login Sign Up

CVE-2021-32702

8.0 HIGH
Cross-Site Scripting Authentication Bypass

📋 TL;DR

The Auth0 Next.js SDK versions 1.4.1 and lower contain a reflected cross-site scripting (XSS) vulnerability. Attackers can inject malicious JavaScript code via the 'error' query parameter during authentication callbacks, which gets executed in users' browsers. This affects any Next.js application using the vulnerable SDK version without custom error handling that properly sanitizes HTML output.

💻 Affected Systems

Products:
  • @auth0/nextjs-auth0
Versions: <= 1.4.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using the default error handling that returns error messages in HTML responses. Custom error handling that doesn't output error messages as HTML is not vulnerable.

📦 What is this software?

Nextjs Auth0 by Auth0

View all CVEs affecting Nextjs Auth0 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can steal user authentication tokens, session cookies, and sensitive data, potentially leading to full account compromise and lateral movement within the application.

🟠

Likely Case

Attackers can execute arbitrary JavaScript in victims' browsers, enabling session hijacking, credential theft, and client-side data exfiltration.

🟢

If Mitigated

With proper input validation and output encoding, the risk is reduced to minimal, though the vulnerable code path remains present.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires tricking users into clicking a malicious link containing the XSS payload in the error parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.2

Vendor Advisory: https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-954c-jjx6-cxv7

Restart Required: No

Instructions:

1. Update package.json to specify @auth0/nextjs-auth0 version 1.4.2 or higher. 2. Run 'npm update @auth0/nextjs-auth0' or 'yarn upgrade @auth0/nextjs-auth0'. 3. Rebuild and redeploy your Next.js application.

🔧 Temporary Workarounds

Implement Custom Error Handling

all

Create custom error handling that doesn't output error messages in HTML responses or properly sanitizes all user input.

Input Validation Middleware

all

Add middleware to validate and sanitize all query parameters before they reach the callback handler.

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
  • Deploy a Web Application Firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for @auth0/nextjs-auth0 version <= 1.4.1

Check Version:

npm list @auth0/nextjs-auth0 | grep @auth0/nextjs-auth0

Verify Fix Applied:

Verify installed version is >= 1.4.2 using 'npm list @auth0/nextjs-auth0' or check package.json

📡 Detection & Monitoring

Log Indicators:

  • Unusually long error parameter values in authentication callback URLs
  • JavaScript patterns in error query parameters

Network Indicators:

  • HTTP requests with script tags or JavaScript code in error query parameters

SIEM Query:

url:*error=*<script* OR url:*error=*javascript:*

📊 Metadata

CVE ID: CVE-2021-32702
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-79
Published: June 25, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32702, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)